10341000x800000000000000097995Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:55.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000097994Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:55.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000097993Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:55.026{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563DC4C30CD2350306023CD47A2CBF3B,SHA256=A73C8B78F41A605661DFE6147117C81E6B88AF4C93748A216FD382302050230C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000097998Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:56.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000097997Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:56.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000097996Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:56.030{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59C921479DF973931AE35C045C9D05D,SHA256=E3A2B53E3A7EDDFC7D28A9B6724BB32A521853F4669E3D0100A4CBCA56A730E1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098001Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:57.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098000Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:57.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000097999Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:57.036{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60BE95F32FDE350BB313B18B5A13FDF,SHA256=BA429D5483C9CDD4D398424AE25B11CACD784D29337911C6C4C4F3A3D4510D84,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098004Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098003Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098002Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.043{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7320D9415FD88477E705B5EC119F64,SHA256=AC3A7E548B656465FDCDE74BE93374AC5099FEB9CB9A0456D675C18E3F59C5F4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098007Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:59.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098006Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:59.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098005Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:59.051{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0129DCB42155CA86EB32D6FD67D6A33,SHA256=95FF93DFE8056A84A7B080646CEFB898EF7ABAABD991C1794C57B4EE2288414F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098011Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:00.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098010Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:00.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098009Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:05:58.163{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50187-false10.0.1.12-8000-
23542300x800000000000000098008Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:00.055{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1A8B2F57BF51160BE7903E5CA1E31F,SHA256=9E52ACEB75FC68AA2CD5251BDEE633C865FB0C90EBC7EF0E9732468A97C5EC3D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098012Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:01.063{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C777916642C3BBE265CF2209B2F64171,SHA256=E87223A2C6732EB6C552D9C0123844253DF65CBFC78C2B292C02C7CAA9AFDD4A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098015Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:02.192{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098014Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:02.192{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098013Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:02.072{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7392A136DADD9357B75E25A00D4E1F01,SHA256=F553651433975D540C8DD1976DB77ED5F2D02173BD95417F751BDFF8DEA84EE3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098018Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:03.193{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098017Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:03.193{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098016Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:03.082{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEEBA636B40B77EA3BE591EF292D792,SHA256=01F3D1539E6E3ED70AB5A4FF905BDA22DAE9FF6CDDBFD86CCEFA68060F71251C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098054Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098053Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098052Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098051Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098050Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098049Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098048Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098047Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.848{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098046Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098045Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098044Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098043Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098042Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098041Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098040Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098039Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098038Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098037Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098036Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098035Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098034Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098033Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098032Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.847{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098031Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098030Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098029Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098028Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098027Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098026Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098025Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098024Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098023Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098022Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.846{0F0CAB0C-E51D-6033-0D00-00000000AD01}984588C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098021Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.194{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098020Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.194{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098019Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.087{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E903B8344D1EAE3B233A60420D484776,SHA256=97E328D991884F4B265C5D7B16619849A67C325C90478A6A5DBBFDE346431D43,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098058Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:05.396{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CD30D57C0C6C4EDA44A74166D3E2F1,SHA256=E6125FC1FB5C5D422AC6E2347465B4FA094A4C73C43DE35FF4770E47CFB1C4AA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098057Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:05.195{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098056Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:05.195{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098055Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:04.035{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50188-false10.0.1.12-8000-
10341000x800000000000000098061Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:06.196{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098060Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:06.196{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098059Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:06.186{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9A81B2ADD4A9ADACB0DCCE08991426,SHA256=82C155ED3EA7DEE4BE9E5FE2C3D8EEB8A141C39D181CD3DEEFE6AC4939903A4D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098064Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:07.197{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098063Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:07.197{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098062Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:07.192{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA070F93111E0015F07424DCED1ACF4B,SHA256=93522DAD1D59C45C943EF0EFF448FB7912D8C9CBD533D12493B3C1E52814697D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098068Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.936{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098067Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.198{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098066Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.198{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098065Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.197{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56D85CCED45E05FC9822B8904A8717B7,SHA256=8B95BACE48CCA0B388FEFEB2DF1E773302E9604BB3A05112C072191A34119CDE,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098071Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.204{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C5F0FEC7767158B4FBB7D923088FC7,SHA256=0868E60A4E1F55F6598CC16A23B8A0F5A375B3F172F610B9123A8FD02C619E58,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098070Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.199{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098069Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.199{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098076Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:09.165{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50190-false10.0.1.12-8000-
354300x800000000000000098075Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:08.905{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50189-false10.0.1.12-8089-
23542300x800000000000000098074Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:10.212{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A38DEB5EC830BE23C6F57DFFD6A7A3,SHA256=FE6EF72A9A77B001711406CB94B9E956A5B8F2D224F597A5813AE4F9E4100854,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098073Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:10.200{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098072Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:10.200{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098079Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:11.219{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E98A3A7E700E3E3D96A3A0D704D264B,SHA256=1BB29152F514E55D0B1A18410A24740491D1C522C46A57E956AEE5B30E41DEC8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098078Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:11.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098077Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:11.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098082Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:12.229{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488F386B88A789A3D5A4A5C26D72CB45,SHA256=D101F4EAC62FA9BE45D2A58BDA90EEC50C5509291C860C398021461E7D0CB316,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098081Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:12.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098080Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:12.201{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098085Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:13.246{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01696850C3BE57B93F51573E5D8177D1,SHA256=70408A4C6517433A6557BA83D6196FA27321F45923ED8220D9E563903E74B724,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098084Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:13.202{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098083Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:13.202{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098088Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:14.257{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121C7E1E09DC0D3B8FA3478ADE264FDE,SHA256=33D4B437DC6133680E86A75C50AAA55972B84B034AAFC737F3C0A2D0E3E6D09C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098087Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:14.203{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098086Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:14.203{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098091Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.268{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46EAFF7AAA90C8CAF93E5D0F3D295EF8,SHA256=276B2B08C631B04071CB358A151E4EADE04770DBB32E5DFAD7FCFA8FBBC3FD66,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098090Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.204{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098089Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.204{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098095Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:15.042{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50191-false10.0.1.12-8000-
23542300x800000000000000098094Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:16.284{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C7CF48A0E68597E048240111FCA11B,SHA256=0A9D1F195E5D2A955DB6ECD6A0578D92A89EBC2A040848194F00452BAA1DF732,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098093Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:16.205{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098092Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:16.205{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098098Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:17.299{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E6499238263AB718038CD463C665A87,SHA256=D31B8E81AE5F6B2D25A3316E34D83D14DA3CE63C9A4A568FD2C0C95691259C9C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098097Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:17.206{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098096Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:17.206{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098101Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.308{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C720B15232929EAA44BA635F237C682B,SHA256=970A1BBB6EB07F820D3A1E406AE3A5E1CFC3709A097D330AE30E660CD79CCFE1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098100Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.207{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098099Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.207{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098106Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.908{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83E0ECE7BCD9C1AABE71059EC5941AD,SHA256=1BBD579A7C02BF4C83201F0E4FDDB8784D6E74C8E529F09890F5FC037546328A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098105Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.907{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06BC763F8D7BD10E673BA17742F513B,SHA256=FDB287909F611AE8D4C5BA1F6DAE5218D5AA5ED51E20492C29AAAB1B5A0F7518,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098104Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.315{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B56583C634D8CB7E6380D9C9BA758D,SHA256=44AABB28574E739D25600616551954EDA1B1A6537F6D4BEEE47B48AB0EB84882,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098103Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.208{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098102Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:19.208{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098111Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.880{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50192-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap
354300x800000000000000098110Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:18.880{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50192-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap
23542300x800000000000000098109Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.323{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF915C8A7970B3F999E82FA497D472FC,SHA256=DC8B347063DFC319E7E4B91DDCC1E95B66C7582F598C3FDB49D51013BE8817A2,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098108Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.209{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098107Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.209{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098115Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:20.172{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50193-false10.0.1.12-8000-
23542300x800000000000000098114Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:21.328{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D49B9EB9AB23F40DB77C0F3A50FACB,SHA256=4F8F8E0B9142B8F8532DBA3A0D6239F02CE4F5DC79F268ACD70F90260E447455,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098113Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:21.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098112Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:21.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098118Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:22.334{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889D0809BE5C0178186FFC6A5ECDA7C9,SHA256=051943EFC6AD59ACF7DF6B1AF469C9DF16CE323046B57648E7A981BE96BBD300,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098117Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:22.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098116Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:22.210{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098121Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:23.340{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75AE26A9018A5F441435B0FD87E0513,SHA256=34739571C03512BF2D413CFD2CF32F763E29D43C18B99BCB7CA43DD9511547D0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098120Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:23.211{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098119Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:23.211{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098124Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:24.347{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C4AD3C620C78F17CA7E409F45F11D2,SHA256=561183DFC07C330313F1FC79009623199CE3DCC51773D785BC461E96A4CF8694,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098123Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:24.212{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098122Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:24.212{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098127Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:25.355{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B8D2FF1D76121405DD73F2BB66718B,SHA256=A893D68BFA7FE95D5208D794F29ABB1E4730CB960FE35491827C47D4D8B50B3B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098126Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:25.213{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098125Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:25.213{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098134Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.842{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio6737618447378323786.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098133Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.801{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio6170967010365630749.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098132Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.768{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio5371814722503670723.tmpMD5=244D4CE5225FA6CE75B5642993069918,SHA256=1DBBD5B96F4D0D21820E4409B05EE19BA922DE15BA92D44FCA1116E6D74CED91,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098131Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.365{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452725978498BFE819F3E1FE2DE481A3,SHA256=C6D1F72C180167D368727D780D4605C21A8B3746F99F49CE770416EAA4592586,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098130Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.214{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098129Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.214{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098128Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.025{0F0CAB0C-E51D-6033-0D00-00000000AD01}9846852C:\Windows\system32\svchost.exe{0F0CAB0C-E665-6033-0801-00000000AD01}3736C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098138Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:26.043{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50194-false10.0.1.12-8000-
23542300x800000000000000098137Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:27.377{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD60BE8833D5F8204ABACCEEEEDBA13,SHA256=401223BAF53209293C1500B9AB537FF9E5CAA91F3E7CA0C68750C0035ACFCF85,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098136Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:27.215{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098135Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:27.215{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098141Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:28.381{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69359DBD1564A3E0D5E085B57B691B3F,SHA256=40367240B2ECD0321E73362BE3F2B609AE14A6F39756D5E289A90D8BA63F9E82,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098140Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:28.216{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098139Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:28.216{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098144Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:29.398{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A641578234397C28BE3718C6DA6206,SHA256=8E76F7334A1BDBBDBFD750348FBDA87AACBED21387F5F2E82AE3AF53E6A18696,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098143Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:29.217{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098142Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:29.217{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098147Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:30.403{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B8C3756C3B8AA9A48E87799486F22,SHA256=68F36DFE416BE7AC26C768CDDE1D73126FBBA391C1DE96C4B6F8E326B6153BE5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098146Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:30.218{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098145Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:30.218{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098150Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.416{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2A643E55EF706CAB433F07DB3D01DB,SHA256=025C7CDFCEC2107CA7196419507A29089D35337751ED9CB23CB1C953C54717C6,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098149Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.219{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098148Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.219{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098154Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:31.164{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50195-false10.0.1.12-8000-
23542300x800000000000000098153Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:32.420{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60132A80CD6CAD7D4C6FB647E0A1CE3F,SHA256=4491D40E1A3CC0DE8C8B4578EA168A04B1A7B838DA5D42C3365F515A88E715A0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098152Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:32.220{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098151Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:32.220{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098158Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.427{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC012DB2A187F6CF433649841D2FD35,SHA256=E9E2E998DD2A58AD7997445B1EA03EA7F596B16E6FF1C3BA58BCBD6595D6CF6E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098157Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.381{0F0CAB0C-E666-6033-1101-00000000AD01}24686080C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+dc3e5|C:\Windows\Explorer.EXE+6e771|C:\Windows\Explorer.EXE+4d787|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF803818708C8)|UNKNOWN(FFFFC16313D64978)|UNKNOWN(FFFFC16313D64AF7)|UNKNOWN(FFFFC16313D5F181)|UNKNOWN(FFFFC16313D60B4A)|UNKNOWN(FFFFC16313D5EE06)|UNKNOWN(FFFFF80381587E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098156Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.221{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098155Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:33.221{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098162Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.430{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C44C5916FFE90606561C16E01D828CA,SHA256=D230763921B2964690BF78618DDDB6EEC963A7726AFC9667969E3BE3EFA2D4DE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098161Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.222{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098160Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.222{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098159Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:34.064{0F0CAB0C-E666-6033-1101-00000000AD01}24686080C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+dc3e5|C:\Windows\Explorer.EXE+6e771|C:\Windows\Explorer.EXE+4d787|C:\Windows\Explorer.EXE+49f72|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9764|UNKNOWN(FFFFF803818708C8)|UNKNOWN(FFFFC16313D64978)|UNKNOWN(FFFFC16313D64AF7)|UNKNOWN(FFFFC16313D5F181)|UNKNOWN(FFFFC16313D60B4A)|UNKNOWN(FFFFC16313D5EE06)|UNKNOWN(FFFFF80381587E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\Explorer.EXE+51aca|C:\Windows\Explorer.EXE+8f763|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098165Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:35.437{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF37BECA91628A78CA57B2A9A79309,SHA256=817B42EFCBF01B0F26692DDBEB71C7BC7831CC6DE39F8B49F9562A36956DDCEA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098164Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:35.223{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098163Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:35.223{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098168Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:36.447{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8499EC7EAAFC5668688CE98C512CAB77,SHA256=139A2ACD51923D397E55D9F89AE4D28B81112ECF806A948507CBDB8CF1D71DC7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098167Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:36.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098166Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:36.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098171Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.462{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2943D3BA68E7A86C14722C6B090DCE,SHA256=3F3AD4E6D5893FFAB386A947B714FEB03C1B5242357D0A2C2AF46108DF64A5E0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098170Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098169Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.224{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098175Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:37.045{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50196-false10.0.1.12-8000-
23542300x800000000000000098174Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:38.471{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003142738BE7D040642FC93A424071E3,SHA256=A39556F7F88F65A31D62266BC4A98DE36CAEAE1BF48A72E263DECEC5EF0AB0EA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098173Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:38.225{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098172Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:38.225{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098178Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:39.478{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF2717D69A0A7ACFDE9F01C5CEAC761,SHA256=85F1BD967FC3C65A72CA4A4122AC7AF1084A4F919C752570DCB64E35025CC644,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098177Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:39.226{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098176Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:39.226{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098181Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:40.486{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5CD3F244D3D7FE9234847F3892B791,SHA256=5A2029D11AE1C216A40E82A00917C53E2202A15BC5DB75A6479B6E9795851B1C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098180Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:40.227{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098179Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:40.227{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098184Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:41.493{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257AF4B18B88BC0B97F2D28B14F15C9A,SHA256=EE0DB5208A9C4AFB52F4723763DD37AA473F4E3537D2A259513D3E3FDF4F4C40,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098183Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:41.228{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098182Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:41.228{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098187Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.500{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1841AC0C696648F9D59E5E8671F3B95,SHA256=3D9717E45E7700745F27094B6225A81B2A2333C48CCE2CAA6B8F1BA40CA0080C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098186Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.229{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098185Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.229{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
534500x800000000000000098193Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.789{0F0CAB0C-281E-6034-E00D-00000000AD01}708C:\Users\Administrator\Desktop\artifact.exe
534500x800000000000000098192Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.778{0F0CAB0C-27D0-6034-D60D-00000000AD01}4696C:\Users\Administrator\Desktop\beacon.exe
354300x800000000000000098191Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:42.177{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50197-false10.0.1.12-8000-
23542300x800000000000000098190Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.507{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D14A193F445394CC26D7986EC00A79,SHA256=CB6153FEC5BEB1550AC94F1E1575B4348750444E1DAB042DEC8024032E0C2ED7,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098189Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098188Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098198Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.776{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio5367092464758173280.tmpMD5=AB93A489F8BDB3A5D88E43E9F0CE51E1,SHA256=3D23E28DDE1CF81CD868567E5F0DE637F04D41C9B624B24B4A85729A748CBF9B,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098197Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.736{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio17761760072674751824.tmpMD5=BAADE56E37F86B9B425892758602EC26,SHA256=34FB07B1874FD9CEA3C4D5D94999C3F2B1921E9B93805DAE30BB36E8255038E8,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098196Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.514{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128188B65DDA9A37FB70CE5279CF0827,SHA256=93A63B522F65DF8E55205B81B99FB07683A9A7743DA4E38C64F030764C993D76,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098195Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098194Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:44.230{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
13241300x800000000000000098208Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-VerSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\BinProductVersion(Empty)
13241300x800000000000000098207Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-CompileTimeClaimSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\LinkDate06/09/2020 00:17:28
13241300x800000000000000098206Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-PubSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\Publisher(Empty)
13241300x800000000000000098205Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDB-PathSetValue2021-02-22 22:06:45.791{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exe\REGISTRY\A\{ae73fbdb-ea8b-fd9d-34fd-7644a2edce8b}\Root\InventoryApplicationFile\beacon.exe|14342b9a39b0d4b7\LowerCaseLongPathc:\users\administrator\desktop\beacon.exe
13241300x800000000000000098204Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.localInvDBSetValue2021-02-22 22:06:45.779{0F0CAB0C-E51D-6033-1400-00000000AD01}1304C:\Windows\System32\svchost.exeHKU\S-1-5-21-2309400775-1311174122-2981337477-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Desktop\beacon.exeBinary Data
23542300x800000000000000098203Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:45.527{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C651844CAF65B066769E0BF9F957484,SHA256=878B6039F45613BB06901CFDF0802D0011A937E857AAE481E732A7B8E11BD6C7,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098202Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.762{0F0CAB0C-281E-6034-E00D-00000000AD01}708C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local50199-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
354300x800000000000000098201Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:43.742{0F0CAB0C-281E-6034-E00D-00000000AD01}708C:\Users\Administrator\Desktop\artifact.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-11.attackrange.local50198-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https
10341000x800000000000000098200Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:45.231{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098199Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:45.231{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098211Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:46.532{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521CC3FEA54AB7F6ABB8397110A15DE7,SHA256=43B5BF6C80E6AAAD96CE19EF0DDDFF3C76978BEAFA791C8226BA814AA8EC7BD1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098210Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:46.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098209Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:46.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098214Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:47.544{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B97059E880A961C2CC2CA6CA8A2B5B,SHA256=CB5EAAA141278BB31D92F35927C07F2BA6A7B6DBF67360128097423560A34EF1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098213Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:47.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098212Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:47.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098233Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.566{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098232Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.565{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098231Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098230Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098229Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098228Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.564{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098227Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.563{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098226Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.562{0F0CAB0C-2AF8-6034-3B0E-00000000AD01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000098225Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.553{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9D56BF43A3BFA1CA37F909ACCC2FD1,SHA256=1084D7F620D4B233261CFB397323C8AB4E9F6DB0F2F35ADE9982D24AFAB74AC8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098224Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.234{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098223Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.234{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098222Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.012{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098221Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.010{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098220Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.010{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098219Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.010{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098218Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.009{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098217Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.009{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098216Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.009{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098215Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.007{0F0CAB0C-2AF8-6034-3A0E-00000000AD01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000098247Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.570{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=703B5B4B4FE15E73E78E03DE533A3783,SHA256=75EF217A6FD626A27092788EB42DFE567107F7A06D40DFD1B4CC2EBB700EAF07,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098246Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.569{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80CAA3D96951A101030673BA4E3826D,SHA256=B4AC70E2E1C1320D454AF11C9CAA60424600E7B804EECE11114E7C1FB41CE446,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098245Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:48.056{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50200-false10.0.1.12-8000-
10341000x800000000000000098244Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.386{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}77927080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098243Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.235{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098242Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.235{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098241Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.235{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098240Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098239Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.233{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098238Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098237Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098236Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098235Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.232{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098234Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:49.230{0F0CAB0C-2AF9-6034-3C0E-00000000AD01}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000098250Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:50.579{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9902BDBA7011B7026D3A6402EAB2A8,SHA256=DA84589BB163049F70F5DBBC1EBE9227D128D8388932484481CD028D5770A71C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098249Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:50.236{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098248Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:50.236{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098262Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.598{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B22E2DED27A2B03E78141F8DEB967E6,SHA256=E8DF193BF56E5E4A12E4F9FDF64058E8BF6F5DB9F70E246C4B98A6A680BADF93,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098261Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.502{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}12606656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098260Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.351{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098259Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098258Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098257Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.349{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098256Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.348{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098255Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.348{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098254Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.348{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098253Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.347{0F0CAB0C-2AFB-6034-3D0E-00000000AD01}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098252Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098251Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:51.237{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098283Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.844{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}72442388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098282Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.688{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098281Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.686{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098280Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.686{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098279Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098278Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098277Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098276Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.685{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098275Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.683{0F0CAB0C-2AFC-6034-3F0E-00000000AD01}7244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000098274Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.607{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BEE36EDDC0E7B8B75A5024AC78F8BCD,SHA256=18BAF7D5A7C4B4C134E917BACA92EF4A21110D54D8DB13D1250D68264A73F5A3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098273Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.238{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098272Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.238{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098271Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.168{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}27647540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098270Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.019{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098269Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.017{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098268Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.017{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098267Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098266Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098265Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098264Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.016{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098263Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:52.015{0F0CAB0C-2AFC-6034-3E0E-00000000AD01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
23542300x800000000000000098294Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.618{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D8AF40AD9FAB0CB90EB47466CDF7D6,SHA256=65B99D86D2E15BE39B5146AB5DFCC61C7D23377BC8BBA9CD1490413BC4144C76,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098293Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.355{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098292Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098291Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098290Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.353{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098289Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.352{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098288Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.352{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098287Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.352{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098286Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.351{0F0CAB0C-2AFD-6034-400E-00000000AD01}7316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098285Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.239{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098284Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.239{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098298Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:54.629{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CD39309058A95858BE1518713586B3,SHA256=07BEE521713B3D0ABA58AC868CD30425887558749FE4F7708F91F74F5A28E690,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098297Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:53.190{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50201-false10.0.1.12-8000-
10341000x800000000000000098296Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:54.240{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098295Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:54.240{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098301Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:55.636{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652D5806890127AAF2253BED11F761E0,SHA256=9D7EBAA0EFFDF8F08DF336B0B31E93C56846CB3AEAA0E3FF96C46D03F259F04A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098300Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:55.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098299Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:55.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098304Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:56.639{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D36BD852AA2E70BC7CB5104C83C001,SHA256=C3F22F053A3A6D2F45A35E664D99E94BD3323D5373B5572908BB120213057CE8,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098303Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:56.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098302Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:56.241{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098307Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:57.652{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDA31282AE2EFA608AECA4DC333E16D,SHA256=4A3D897C7AD18E68C4300085C9FC4D71AF1BCC6F931C0F6FF0DC3300180C1DEE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098306Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:57.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098305Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:57.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098310Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:58.657{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA0C0803A0689D6B85EBB7E3B0A074B,SHA256=CC3DA74DC5B85F23E212298B2A4FEFD381A7711A04DA5E612ECAAC15AA346FC5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098309Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:58.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098308Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:58.242{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098313Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.663{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F0093B529480B756552F8F697E4C03,SHA256=26AE213D0A23EEAF7618B27B02FA1C512E9EFE409A8BF17D977EDFAF8F4F982A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098312Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.243{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098311Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.243{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098317Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:00.677{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E9DCC410E859F1560CF635883E24F6E,SHA256=1C082A55C17B5B58F8D5FFC62ADF8CED70CA580FB8B9A2842077090F7B51C472,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098316Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:06:59.071{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50202-false10.0.1.12-8000-
10341000x800000000000000098315Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:00.244{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098314Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:00.244{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098320Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:01.682{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFC89343B6C8B1A3FCB21E6A6BBEE4E,SHA256=B8EC8F77F04628818CB9AD66374ECAF21C2310B1D7DBCA87BC5EE98EF74C4CFE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098319Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:01.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098318Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:01.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098323Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:02.686{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C59438E4B08CB35143EAE1EB82F697E,SHA256=357EF3540F0A893CB2778DFA9DB2F2BE467266F485213F3604A5E517D9EB788C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098322Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:02.246{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098321Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:02.246{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098326Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:03.701{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585B2768039E228ED92401C35C589201,SHA256=BB53A6F4FC3A2DADAB52A73F48DF1B5FD173D5F12574C2146C1D3AE375FD3225,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098325Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:03.247{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098324Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:03.247{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098329Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.707{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227E66CBC0782D5375FF7A81900EF843,SHA256=78325D1D43F2A22F0CCBC42EDA12C4A9B4088C974553A253F2E3FC83BD9B7BF1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098328Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.248{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098327Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.248{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098333Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:05.714{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FCA973663A38D16777678F5FD2FF1B,SHA256=495C5722C64A13FD89C063C299782ACFAED89942A3DF0A9E53E51ABFB43ECBA8,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098332Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:04.196{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50203-false10.0.1.12-8000-
10341000x800000000000000098331Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:05.249{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098330Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:05.249{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098336Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:06.727{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC44730A10B84DED8D5B5921D7A944DB,SHA256=5C6E673BD9569A294EC6BB9F7D137C84BBFEC8C08AB7864C086ACD1BEB100191,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098335Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:06.250{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098334Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:06.250{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098339Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:07.733{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02BA6259309C002A8C47FC9F669B803,SHA256=56B6F82F58E5D3C3FA8D1633F48D6C32D292B339A270C01054CA31F615233226,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098338Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:07.251{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098337Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:07.251{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098343Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.954{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098342Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.748{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047E679346D2687B2C9B11FCA4C33C1D,SHA256=03B114C9516C2880128334F5FBEAB53003C91E2F163CD427E8EF84B76C04C6E1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098341Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.252{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098340Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.252{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098349Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.754{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1972FBF9808DA0DF005AF1C95189237,SHA256=1AC32BB1D81ED5050533420A552973C19213DD6E9C3CE6FC05E7817E3179A785,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098348Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.253{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098347Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.253{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098346Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.066{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=AB99C041118F7F80C1204CD70CD11BEB,SHA256=BFE408852C541CD4E9B5B2D4919030135FF9CC2AEBDB0F8EA9F595689E08371D,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098345Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.066{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=9A4B15D788F56B5155A5093BDADD7C0B,SHA256=DCBCE46802B841FB829BEFF1F9A7CC706743481763F268AD38FA0860C2C739D5,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098344Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:09.065{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=976676772AF681E7AE381C25CE035DDF,SHA256=57A0DBB0B581F73D510D1239175D00388EA5F6B79503015D92F100B6A4080D79,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098353Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.763{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5138D92EF4146036604C39AD60BAE022,SHA256=EEF7F5DB4A95670C3BF20AA9291D8C62450606D04B61B92D1155113879257714,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098352Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:08.922{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50204-false10.0.1.12-8089-
10341000x800000000000000098351Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.254{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098350Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.254{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098357Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:11.776{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B97949B817534616971ED4E7B1B47AE,SHA256=DFEC2F6EE6D90CF6A711F0B5EDF3822FAEC586518F1C85236F6F8FB8807F649A,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098356Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:10.082{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50205-false10.0.1.12-8000-
10341000x800000000000000098355Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:11.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098354Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:11.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098360Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:12.785{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40787C24BC729985EBC0E1EC76F7CF1A,SHA256=61C2605F45B61C3155516730862090AED1557F1683389024979CA630B150D5F1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098359Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:12.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098358Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:12.255{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098363Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:13.800{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5126BC5FE76960E31A97D23AAFC5D4E,SHA256=E68BD05BECA557EE8D01441C979A7B6AF8142EE1972EEEA7CCBA3F248D71A4E3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098362Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:13.256{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098361Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:13.256{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098366Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:14.805{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E67BBBDADC931F1CD7EE8FFC23DA54,SHA256=A56CDFB0B6A620BA29887E06231482B107F85A234E9D60DC1FEF23C39EB6D02A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098365Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:14.257{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098364Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:14.257{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098369Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.813{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE8A2CD99B65B908C51876DF4CE6A48,SHA256=430170A5FE68F94DAD45664D8B5BEBB83121762E6FBEB08781D9D06C82D6927D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098368Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.258{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098367Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.258{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098373Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:16.826{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301B7DD4823E5BE688E598339C96C656,SHA256=EAD2A7C422EABDE115F97FB5C9785FD61E32F7E087CC3B7E8ADF6D3AFF790B70,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098372Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:15.210{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50206-false10.0.1.12-8000-
10341000x800000000000000098371Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:16.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098370Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:16.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098376Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:17.832{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A860DFF5E67B3056221CD2549BA9A908,SHA256=F01AD863A6E285C362D1F2A413BF13030AC7183B08EC54220903CAF4334F7129,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098375Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:17.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098374Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:17.259{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098379Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.840{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444B75A5AAA12CB5A2BB72044D09B395,SHA256=D8895FF66DBF33D41C19B8C0250761EC8DE848F40CA70F3CC89FE55D52DA1BE1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098378Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.260{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098377Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.260{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098384Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.906{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D3D57D003E3A1A6C14804A9BA88B862,SHA256=6B64339B65A08E77522704B7107E57A6B5902A5FC49229F28415228D0D1E93F0,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098383Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.905{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83E0ECE7BCD9C1AABE71059EC5941AD,SHA256=1BBD579A7C02BF4C83201F0E4FDDB8784D6E74C8E529F09890F5FC037546328A,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098382Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.851{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DA110A191A3B3542994A910C4264EE,SHA256=8AD77154C24A1D63F638070E0AF5FE0BF9ED9855114C9AC1D9128D175205C14A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098381Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.261{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098380Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:19.261{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098389Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:20.862{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F62F4340363A548FA85E36CCD13E63,SHA256=1A2A7BB878158C2109D93D8C7EAD2D0A0F1EFB8245C1B5023B32E8DACC36663C,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098388Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.882{0F0CAB0C-E51B-6033-0B00-00000000AD01}856C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50207-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap
354300x800000000000000098387Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:18.882{0F0CAB0C-E52D-6033-3100-00000000AD01}2316C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-11.attackrange.local50207-true0:0:0:0:0:0:0:1win-dc-11.attackrange.local389ldap
10341000x800000000000000098386Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:20.262{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098385Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:20.262{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098392Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.880{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E051F1A6BB08CBD79C56D0F7C4DB7895,SHA256=D6C9DB18F94A33C4AF30462D6761BA68481207E9D3E4B5AC3E82D5B28A9E0F54,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098391Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.263{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098390Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.263{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098396Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:22.891{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C31DE27E9939DAE7E27245E81279DD,SHA256=3668E32172492E6FAA01A133DC5F5289C49436262ACD51216189949763442323,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098395Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:21.094{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50208-false10.0.1.12-8000-
10341000x800000000000000098394Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:22.264{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098393Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:22.264{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098399Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:23.895{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFD156FF2BEB9140D044A260152F4220,SHA256=3D2B1D12479E0AAB5184FEEBA581E2B61A379CE09688EE6FFFDB1C6863CCCA8A,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098398Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:23.265{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098397Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:23.265{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098402Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:24.900{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689AC0627C41E514B412E9CF810BFED9,SHA256=96C6664A2E489C03EB579A8FB93D4192F2802A1474AAF15FCD3D2C881B414757,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098401Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:24.266{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098400Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:24.266{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098405Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:25.909{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F652EB50B32AEEBD560C80CB971320,SHA256=3DB8F5C76E2C6BB60DF2469E2539C84656B6A9D3FB699198EE19BD150226C552,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098404Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:25.267{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098403Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:25.267{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098408Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.919{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2C5948384A4F67D0478B546D342C3A,SHA256=BBD01AA714C6669924888BF7751F5680BF492E212B673B866BE4CE87ADB4667B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098407Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.268{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098406Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.268{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098412Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:27.929{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0D97C4CFF1DC0D6F526A8C638B3F14,SHA256=EB086FE24E9ECF5B5B8ACCF8068C8B14590DD9A01119181CB60FA50F09F71751,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098411Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:26.213{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50209-false10.0.1.12-8000-
10341000x800000000000000098410Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:27.269{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098409Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:27.269{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098415Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:28.934{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249157340CC0B86F2DE305EA711E82F0,SHA256=06440AAF895223C1DE7C5FE12B644BAE4F28FA021A82A09B6576C217740B876E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098414Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:28.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098413Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:28.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098418Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:29.938{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2EC97627C11109DB39D0A58FB764F1,SHA256=2A01C781D6EF0976EA59373E57707C25D6E40FC42E3A5898D6A6CD76EADA514C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098417Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:29.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098416Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:29.270{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098421Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:30.951{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337887386FB207C6FAC77AD50EB72CDD,SHA256=91BAB526C5EC0454F78AE5FDBE12E9413CF829A2709FF6CE9464D210688EB367,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098420Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:30.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098419Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:30.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098424Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:31.954{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381FD6697EC99C094A60E15B828DB389,SHA256=1F911872AEB2A2FD0808E80BBA215CC121AC9D583769AE965D70DAF59A409F0B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098423Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:31.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098422Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:31.271{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098427Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.960{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898AA1A9E1DB626C16E05EB505AD1834,SHA256=38DFE43BE5093D51885C7027E1A0D7A459481336E983062ED9E8D9F611D9CA3B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098426Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.272{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098425Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.272{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098431Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:33.966{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED84EB4B736C743AD22BDFD1A7DCB06,SHA256=ADF2A7D745B9CBE06A2243649628190132F6B748BA7554CBDBB0BBE91BE67E4C,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098430Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:32.091{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50210-false10.0.1.12-8000-
10341000x800000000000000098429Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:33.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098428Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:33.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098434Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:34.978{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40BAFE7060A9478BFBD28584A3AB858,SHA256=0B6455597C3865837CF5BF279348DA3A21A26881027567E1D2A78E0E9B8EAE12,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098433Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:34.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098432Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:34.273{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098437Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:35.991{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A08C24CDCAE082A00B19C483EC5CB6AB,SHA256=E19266F05139C83AE5E761EE17BE54BB605CDCABAEB3EC378C75DBB63F915D07,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098436Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:35.274{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098435Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:35.274{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098440Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:36.998{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D980AB625E83492464180D6EFC3DF2,SHA256=2798E1209BAA2BD15BA397A0C26598A401999344B531D26F06A1454119CE2CBD,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098439Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:36.275{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098438Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:36.275{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098442Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:37.276{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098441Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:37.276{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098446Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:37.215{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50211-false10.0.1.12-8000-
10341000x800000000000000098445Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:38.277{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098444Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:38.277{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098443Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:38.010{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=884A4C1E57749DD0AAA91557A53DA306,SHA256=81C498FD9F97188EA2DC4CA6DAA45A16C599C9AF46EB34FFEA5E8FF23D07A7F1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098449Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:39.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098448Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:39.278{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098447Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:39.017{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABB52684B148AE9AE39901E3CDB16222,SHA256=5D140B3F01C7A36473A5D7025DA53A5BE4D15156668E261C9347ED5BE8377378,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098452Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:40.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098451Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:40.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098450Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:40.027{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B0D3C664C474F0CAE2AEF084994B3E,SHA256=49510DF43C0AE52A753F279F924CC6A7772A685150F4F77036CCF6D0CECEA18B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098455Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:41.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098454Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:41.279{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098453Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:41.036{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF958C07B3CC4AACEFEEAF8945282369,SHA256=DF036A4FAA06C752B4927D2D68A7C7636C20797CE0F15D78B4DA258E45320E42,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098458Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:42.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098457Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:42.280{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098456Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:42.050{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1BFB5C7F2147C734774BB3A00B4421F,SHA256=9D6EC9F122A6CECA91AF4DF23A46DE24675A19B656249841E9DFD64AA1C78777,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098461Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098460Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.281{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098459Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.055{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2009FCFFAA26AF1C748CD8D2C8837E04,SHA256=3F65FEDC09CEEA22465A15B3408801EA0138BDA6A86E4E9C9BF980757F585CBB,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098465Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:43.083{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50212-false10.0.1.12-8000-
10341000x800000000000000098464Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:44.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098463Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:44.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098462Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:44.064{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C85C62C0431450535893B7E5EA3BCC,SHA256=68809DAA8D4C5509B2A3AFD17FEB9028F9C4849954289BB564038291D6E156B4,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098468Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:45.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098467Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:45.282{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098466Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:45.071{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700B7127563DFCBAAB3DF20A26BFB12E,SHA256=5517FAC72F01AF7759765E75D43ACEC6BDB90DF2B08262507F2CC0DD7AB8D480,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098471Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:46.283{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098470Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:46.283{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098469Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:46.075{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A19513FCF0C8CC94C91AF63D5DDEEF,SHA256=E88645781334C4D6E2F460963CF0FCCDCFAD5DB7014659254605872D6BE3F8F0,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098474Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:47.284{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098473Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:47.284{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098472Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:47.089{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6071B786C4DF87FF50DBB71F53A417,SHA256=A55B44F0666FB0250AA796214FAD8D6F4A28AF271180ED18A2580A13BAEA9C20,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098494Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.844{0F0CAB0C-2B34-6034-420E-00000000AD01}65446020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098493Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.691{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098492Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.689{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098491Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.689{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098490Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.689{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098489Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.688{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098488Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.688{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098487Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.688{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098486Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.686{0F0CAB0C-2B34-6034-420E-00000000AD01}6544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098485Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.285{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098484Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.285{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098483Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.103{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B911B5C3BBD1835D3B93B210F37F6AD1,SHA256=AF7E5177D1FD94FB90925247D51890C79508AF603EA667647043112E2842D69D,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098482Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.020{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098481Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.019{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098480Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.019{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098479Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098478Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098477Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098476Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.018{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098475Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.015{0F0CAB0C-2B34-6034-410E-00000000AD01}7836C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
354300x800000000000000098518Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:48.201{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50213-false10.0.1.12-8000-
23542300x800000000000000098517Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.573{0F0CAB0C-E51D-6033-1100-00000000AD01}1196NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C2D4937DE316D48B8DDFE205BE5ED850,SHA256=3EDE568B5AEF2E0F0FAC4357F9E947E43B97DE772397F8E52851A026CCE1013B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098516Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.372{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098515Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098514Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098513Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098512Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098511Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098510Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.370{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098509Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.368{0F0CAB0C-2B35-6034-440E-00000000AD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098508Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.286{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098507Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.286{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
17141700x800000000000000098506Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:07:49.250{0F0CAB0C-2B35-6034-430E-00000000AD01}7664\MSSE-6926-serverC:\Users\Administrator\Desktop\beacon.exe
10341000x800000000000000098505Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.247{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098504Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.247{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098503Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098502Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098501Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098500Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098499Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50124224C:\Windows\system32\csrss.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098498Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098497Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.245{0F0CAB0C-E666-6033-1101-00000000AD01}24685124C:\Windows\Explorer.EXE{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+18cf0c|C:\Windows\System32\SHELL32.dll+18cc63|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098496Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.243{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe-----"C:\Users\Administrator\Desktop\beacon.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=3F6E8199D369E1A5CF431FC20FA45569,SHA256=5F3560BA8B3B64858A3ACA88B03129F7C80BCCCD34386C64EC1E7AF09872E8CD,IMPHASH=17B461A082950FC6332228572138B80C{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK
23542300x800000000000000098495Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:49.116{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA31720E169467EDB1FCAD2CD82DC399,SHA256=668228F1BDB718B5D956C019FAA93AAC3D3B9EB03793B3E52E3ABB4C2534038F,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098524Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098523Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098522Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.281{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098521Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.281{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B35-6034-430E-00000000AD01}7664C:\Users\Administrator\Desktop\beacon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
18141800x800000000000000098520Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:07:50.275{0F0CAB0C-2B35-6034-430E-00000000AD01}7664\MSSE-6926-serverC:\Users\Administrator\Desktop\beacon.exe
23542300x800000000000000098519Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.138{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB050D6EB305D8D78BCCDF3D8321B41,SHA256=758BA7FA3A4F8FA8B252627EA30266065B0431096BA56C899729DD8C8F35B96C,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098536Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.517{0F0CAB0C-2B37-6034-450E-00000000AD01}77164432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098535Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.360{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098534Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.358{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098533Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.358{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098532Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098531Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098530Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E51B-6033-0500-00000000AD01}640756C:\Windows\system32\csrss.exe{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098529Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.357{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098528Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.355{0F0CAB0C-2B37-6034-450E-00000000AD01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098527Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098526Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.287{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098525Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:51.146{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C46E834455A984ADCBF7B0AB6027FB,SHA256=2DFDFD2ED22303222753CF3A2716CBE487AF17A4EE648A29125EFE5CA198A1AB,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.695{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.693{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.693{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.692{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.690{0F0CAB0C-2B38-6034-470E-00000000AD01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
22542200x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:50.283{0F0CAB0C-2B35-6034-430E-00000000AD01}7664win-dc-11010.0.1.14;C:\Users\Administrator\Desktop\beacon.exe
10341000x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.175{0F0CAB0C-2B38-6034-460E-00000000AD01}27243748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.160{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E52E11B7FF43652D4FF802BC7548BE,SHA256=818567EB08B4B488FAFD216046D8EDB5B90BE4DF55DBF567FE37C5F0C6614A0B,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.025{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.024{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.024{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E51B-6033-0500-00000000AD01}640656C:\Windows\system32\csrss.exe{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.023{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:52.021{0F0CAB0C-2B38-6034-460E-00000000AD01}2724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.521{0F0CAB0C-2B39-6034-480E-00000000AD01}70246048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.361{0F0CAB0C-E591-6033-AD00-00000000AD01}21241156C:\Windows\system32\conhost.exe{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.360{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.360{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E51B-6033-0500-00000000AD01}6401144C:\Windows\system32\csrss.exe{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.359{0F0CAB0C-E591-6033-A900-00000000AD01}8724044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.357{0F0CAB0C-2B39-6034-480E-00000000AD01}7024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0F0CAB0C-E51B-6033-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service
10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.288{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:53.167{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150321C7E810C388C6B9426536016691,SHA256=57B9333C70F013989CF7ECFE45CC973F9D83F308718E6A4AA5BE320AA8821F3F,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.731{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724ATTACKRANGE\AdministratorC:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exeC:\Users\ADMINI~1\AppData\Local\Temp\3\imageio9491242089805566256.tmpMD5=275D85FC45D5242251F92298A81249E2,SHA256=397CB8C6B627C9BA37360DF88A3662D7EE596A741A8B01A65486B196DA211BFE,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.289{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.175{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:54.074{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50214-false10.0.1.12-8000-
10341000x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:55.290{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:55.290{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:55.186{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0C65629E6C9D42EC69651E2A90D2DE,SHA256=1E3BACB2834610B91B0245CDE383F517D2E7738E66FE5FCBA4C1CBF92D447C0E,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:56.291{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:56.291{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:56.193{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6FC17BEF49FCD089F152245A07A61D,SHA256=89548971C99F015FC843C98F11922864194A0F4CF1CFD695ADF8A15778E1B0E5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:57.292{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:57.292{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:57.197{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD863B5F6381252AFBF18B472F10CBE,SHA256=B9CDDA23AC30B5ED7F92DAE0428B19E98C4E18E04E027ED7E5CDA35C58010B11,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.616{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.616{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.616{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.613{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.293{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.293{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:58.211{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D050A89008048DBBE8E540150EF2E5,SHA256=1E12D47D84D88EB98B4829AB8B1860626DD3721E9E5B2E32B60CB7B199063DB5,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.294{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.294{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.225{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E880D88C24BB90D77DD5EFF2E679629,SHA256=4C587105B5C554BC35A4C96D491A22F51B08EE1355FDA9C4075547D19B428467,IMPHASH=00000000000000000000000000000000falsetrue
354300x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:07:59.194{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50215-false10.0.1.12-8000-
10341000x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:00.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:00.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:00.241{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4B0017D3665AA2D0F754374089C05,SHA256=D8D0F04105E9B56837A139AE5684E7CAC53C92B286B9A298DABD1EFEF07D4775,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:01.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:01.295{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:01.248{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5FFD67C812D610211439B1067A03A9,SHA256=59DF6A77D15276433310F0ACB1481E53C26B8C75F2D56EB18149EECFD9941026,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:02.296{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:02.296{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:02.253{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C3D15EF81801628E86E23142288CB,SHA256=C388B4313E6A305689E9C96F33C2E288D8A3D0D16A750BC75EFF3E1183EB9A07,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:03.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:03.297{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:03.264{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B1B57EB33DC1E6CC6E5C6BCFEEFA87,SHA256=917E049925AF66BFE6F9A548A1BC9E6120140043E1E29309B1177CAD252BE934,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:04.298{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:04.298{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:04.271{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD31909CF1D3A3A3FAF1BCE60E0CC985,SHA256=D9D383BC52ACF6AD8DF424ABCF50344A989F414874D32AC73676291A9EF7B3A3,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.299{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.299{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.283{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4053AD6E4E3D0F328B3852A55E66E713,SHA256=F4797A01E1FC7597EEF81ED4CD92FC0179664ABB2D2E16A417F042361211A676,IMPHASH=00000000000000000000000000000000falsetrue
17141700x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-CreatePipe2021-02-22 22:08:05.179{0F0CAB0C-2B45-6034-490E-00000000AD01}4372\MSSE-3067-serverC:\Users\Administrator\Desktop\beacon.exe
10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.176{0F0CAB0C-E51D-6033-1400-00000000AD01}13046556C:\Windows\System32\svchost.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac06|c:\windows\system32\pcasvc.dll+aa66|c:\windows\system32\pcasvc.dll+aa28|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-1400-00000000AD01}13046220C:\Windows\System32\svchost.exe{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+5265e|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.175{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E51D-6033-0C00-00000000AD01}6087648C:\Windows\system32\svchost.exe{0F0CAB0C-E52D-6033-2E00-00000000AD01}2800C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E5F8-6033-EF00-00000000AD01}50125704C:\Windows\system32\csrss.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5182f
10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.174{0F0CAB0C-E666-6033-1101-00000000AD01}24687808C:\Windows\Explorer.EXE{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7354|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e55f|C:\Windows\System32\windows.storage.dll+16e1d5|C:\Windows\System32\windows.storage.dll+16dcc6|C:\Windows\System32\windows.storage.dll+16f138|C:\Windows\System32\windows.storage.dll+16daee|C:\Windows\System32\windows.storage.dll+fd005|C:\Windows\System32\windows.storage.dll+fd384|C:\Windows\System32\windows.storage.dll+fc9c0|C:\Windows\System32\windows.storage.dll+1663de|C:\Windows\System32\windows.storage.dll+1660d2|C:\Windows\System32\SHELL32.dll+8e7a1|C:\Windows\System32\SHELL32.dll+8d606|C:\Windows\System32\SHELL32.dll+ce551|C:\Windows\System32\SHELL32.dll+b475e|C:\Windows\System32\SHELL32.dll+18cf0c|C:\Windows\System32\SHELL32.dll+18cc63|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
154100x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.173{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe-----"C:\Users\Administrator\Desktop\beacon.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{0F0CAB0C-E664-6033-7D1A-140000000000}0x141a7d3HighMD5=3F6E8199D369E1A5CF431FC20FA45569,SHA256=5F3560BA8B3B64858A3ACA88B03129F7C80BCCCD34386C64EC1E7AF09872E8CD,IMPHASH=17B461A082950FC6332228572138B80C{0F0CAB0C-E666-6033-1101-00000000AD01}2468C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK
354300x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:05.067{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50216-false10.0.1.12-8000-
10341000x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.288{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F9D5558FFA57BFF4498B686EFE6459,SHA256=5FEF93EE7A781385169C9309A78322DE6DC0E629ABA393AE8B447763E4D19392,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.210{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.210{0F0CAB0C-E51B-6033-0B00-00000000AD01}856896C:\Windows\system32\lsass.exe{0F0CAB0C-2B45-6034-490E-00000000AD01}4372C:\Users\Administrator\Desktop\beacon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6c14|C:\Windows\System32\RPCRT4.dll+4ab4f|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78e23|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6194c|C:\Windows\System32\RPCRT4.dll+52bf4|C:\Windows\System32\RPCRT4.dll+51b0d|C:\Windows\System32\RPCRT4.dll+523bb|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
18141800x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-ConnectPipe2021-02-22 22:08:06.205{0F0CAB0C-2B45-6034-490E-00000000AD01}4372\MSSE-3067-serverC:\Users\Administrator\Desktop\beacon.exe
10341000x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:07.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:07.300{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:07.296{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F8CBE19C527A76C875B824E593ED58,SHA256=6FADF5738C3B4D24E97A512012DAA5DFF2AEFF466EF07D1798422429AD35D0B3,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.971{0F0CAB0C-E591-6033-A900-00000000AD01}872NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=455D9CA4E02913586B39C34BFD825885,SHA256=A9539C1CACDBE4792ABC4DE09B397C051E9241F918AC25A511FB6605464F4AA2,IMPHASH=00000000000000000000000000000000falsetrue
23542300x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.302{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CEA5FD273BFD234BEF3E2488E537C4,SHA256=46A260A9F02B3B83EF9B8F687571A0848FF58EE5DEEC6F1F44DA6B9FF0E15180,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.301{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.301{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
22542200x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:06.213{0F0CAB0C-2B45-6034-490E-00000000AD01}4372win-dc-11010.0.1.14;C:\Users\Administrator\Desktop\beacon.exe
23542300x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:09.308{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6B4C0EC23CA06E9B219E79868F2B99,SHA256=82EF94481C5A78F6ED0D5B028E6EC2DEB37531452EC004358B1047CC9870AD35,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:09.302{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:09.302{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:08.938{0F0CAB0C-E591-6033-A900-00000000AD01}872C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50217-false10.0.1.12-8089-
23542300x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.319{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EF9CA31204F7B41FE9F0ABC5BA1FE3,SHA256=B67D28960926B58DD03D47DADCC1DC000C04240B0ADFBE37BD0AA140DD05F257,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.303{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.303{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.296{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0aa5|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.295{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+b09be|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.295{0F0CAB0C-E666-6033-1101-00000000AD01}24685784C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b0987|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bc8f|C:\Windows\System32\windows.storage.dll+13aa1b|C:\Windows\System32\windows.storage.dll+138f3f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d99|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.294{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aecdf|C:\Windows\System32\SHELL32.dll+b0420|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.293{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+95ad0|C:\Windows\System32\SHELL32.dll+b03dc|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.293{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+aef34|C:\Windows\System32\SHELL32.dll+b03b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.293{0F0CAB0C-E666-6033-1101-00000000AD01}24685068C:\Windows\Explorer.EXE{0F0CAB0C-2785-6034-CD0D-00000000AD01}5724C:\Program Files\OpenJDK\jdk-15.0.2\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
354300x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:10.189{0F0CAB0C-E599-6033-D700-00000000AD01}632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-11.attackrange.local50218-false10.0.1.12-8000-
23542300x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:11.340{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2BB4BC8FE5FF4792D8B053511E54D8,SHA256=0DEBB57C70DD5C8711E2D7374D5B5095B3C9F292E38B415B26929F9E43B4CDAA,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:11.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:11.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
23542300x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:12.344{0F0CAB0C-E59E-6033-E000-00000000AD01}3816NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4ECFE7E2AD3253403939C1B6A9D673,SHA256=F2D3542B664F8BEB9464B3296A2D2FD74F5B3450BA00EDB5622F1E43169A69F1,IMPHASH=00000000000000000000000000000000falsetrue
10341000x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:12.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E67F-6033-2401-00000000AD01}5336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6084|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+347df|C:\Windows\SYSTEM32\psmserviceexthost.dll+32779|C:\Windows\SYSTEM32\psmserviceexthost.dll+22da9|C:\Windows\SYSTEM32\psmserviceexthost.dll+1ede4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51821
10341000x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-dc-11.attackrange.local-2021-02-22 22:08:12.304{0F0CAB0C-E51D-6033-0C00-00000000AD01}6081056C:\Windows\system32\svchost.exe{0F0CAB0C-E680-6033-2501-00000000AD01}5596C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600